LFI / RFI are the most common vulnerabilities in unsecure web applications. Essentially a website (usually PHP, but doesn't have to be) will allow user input without any sort of (or poor) input sanitization. This mean that a rogue user can use the vulnerability to read local or remote files that can provide information and/or even provide a way to do remote code execution (RCE).
